Equation Group: The Crown Creator of Cyber-Espionage
February 17, 2015 1:45 AM   Subscribe

Only now Kaspersky Lab’s experts can confirm they have discovered a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades – The Equation Group. Kaspersky provides details [pdf]. Securelist.
posted by Pyrogenesis (84 comments total) 43 users marked this as a favorite
 
Password cracking experts decipher elusive Equation Group crypto hash
Researchers for Moscow-based Kaspersky Lab spent more than two weeks trying to crack the MD5 hash using a computer that tried more than 300 billion plaintext guesses every second. After coming up empty-handed, they enlisted the help of password-cracking experts, both privately and on Twitter, in hopes they would do better. Password crackers Jens Steube and Philipp Schmidt spent only a few hours before figuring out the plaintext behind the hash e6d290a03b70cfa5d4451da444bdea39 was غير مسجل, which is Arabic for "unregistered".
posted by Rhaomi at 1:51 AM on February 17, 2015 [2 favorites]


And since I'm probably not the only character encoding nerd wondering, it's "unregistered" in code page 1256, i.e. the old Windows character set for Arabic.

>>> hashlib.md5(u"غير مسجل".encode("cp1256")).hexdigest()
'e6d290a03b70cfa5d4451da444bdea39'
posted by effbot at 2:08 AM on February 17, 2015 [8 favorites]


Wow. Whoever's doing this has the ability to undetectably target a single machine out of all the computers in the world, no matter where it's located. Here's how:
  1. Assume that there are many infected machines, only one of which is to be targeted at this time.
  2. At some earlier date (e.g., during shipping, or via espionage) learn the $OBJECT_ID of a particular file or filesystem on the target machine.
  3. Process that $OBJECT_ID to create a hash unique to that machine.
  4. Send an updated payload to all infected machines, encrypted with that hash. Note: examining the encrypted payload will not let you deduce the identity of the target!
  5. Every recipient machine will attempt to decipher the payload, using a hash based on their own $OBJECT_ID.
  6. Only the target machine will be able to correctly decipher that payload.
  7. Result: the updated payload is installed on the target, but nobody else can even tell what the payload contains.
posted by Joe in Australia at 2:11 AM on February 17, 2015 [11 favorites]


Man this is crazily fascinating. I wonder how many mysterious crashes kaspersky labs had while putting this report together.
posted by Sebmojo at 2:22 AM on February 17, 2015 [1 favorite]


The post buries the lead a bit- if you haven't RTFA, you might not know that the Equation Group is either being identified as or as a group associated with the NSA.
posted by Pope Guilty at 2:23 AM on February 17, 2015 [12 favorites]


It's a beautiful bit of work by Kaspersky, and congratulations to them on reporting it. One wonders how many US security researchers found hints of these things and didn't disclose them, compromised themselves by NSA.

This kind of deliberate sabotage of computer security is so, so reckless. Even if you accept the US should be doing this kind of spying in general, the diplomatic risks of doing this so wholesale are enormous. And then the technical risks are just astounding. All this complex new software running in a chaotic environment. What if it has bugs? What if NSA malware infects US-owned computers and a hostile actor, say Chinese or Israeli or American, decided to exploit it?

NSA used to be charged with making computers more secure. The more we learn about their programs to undermine computer security, the more worried I get. US companies and researchers are already routinely ignoring NSA advice on designing systems now. Given what we've learned recently, who can blame them?
posted by Nelson at 2:24 AM on February 17, 2015 [6 favorites]


the diplomatic risks of doing this so wholesale are enormous

I don't disagree with you about the wrongness of doing this, however I do disagree with you about the above - from my days studying defense and espionage, my understanding is that everyone (that is, everyone running a decent intelligence agency), is pretty much expecting that all their shit is getting spied on, all the time.

Which is why repercussions are generally just expelled diplomats and the like. Countries, generally, now more than ever, want peace more than they want war. I mean, if you catch someone, you have to make a big song and dance about it, but it's mostly theatre. I guess I feel like the antecedents to spying and espionage are long and storied thanks especially to the Cold War, and the tools were far blunter back then, and the stakes even higher - the rules of engagement are pretty clear cut.

Your technical expertise far, far outweighs mine, however. So if there is a particularly unique technical risk I will accept your experience.
posted by smoke at 2:31 AM on February 17, 2015 [3 favorites]


NSA used to be charged with making computers more secure.

Specifically, making U.S. Government computers secure while facilitating spying on everyone else. The NSA has never been about security for everyone.
posted by Tell Me No Lies at 2:39 AM on February 17, 2015 [5 favorites]


The Equation Group - Some Men Are More Equal Than Others
posted by GallonOfAlan at 2:47 AM on February 17, 2015


Maybe the ultimate destiny of "home 3-d printing" is printing your own CPU from open-source specs?

At this stage, I'm a little puzzled you even need malware. It cannot be that difficult to simply compromise the chip factories themselves and bake your malware into the machine. Business people have no morals once some cash money shows up, and if the CEO doesn't want to play, some line foreman would be more than happy to. Especially when the world's most powerful spy agency, backed by literal thugs with guns, makes some compelling arguments why it would be in your best interest to cooperate.
posted by maxwelton at 3:27 AM on February 17, 2015 [1 favorite]


Maxwelton, the fact that so many disk drives can be undetectably compromised in such similar ways demonstrates that either (a) the manufacturers are quite incompetent; (b) they're riddled with moles; or (c) the author of these exploits came to an understanding with them.
posted by Joe in Australia at 4:07 AM on February 17, 2015 [3 favorites]


Maxwelton, the fact that so many disk drives can be undetectably compromised in such similar ways demonstrates that either (a) the manufacturers are quite incompetent; (b) they're riddled with moles; or (c) the author of these exploits came to an understanding with them.

The hard drives aren't infected when they leave the manufacturer's factory, so I can't see how the manufacturers are responsible. The only "mole" work would be to get some documentation about what commands are used for re-flashing the drive, which might not be available online.

They only become infected when the worm initially gets a foothold on a machine, or possibly via interdiction where NSA grabs your newly bought drive as it transits through UPS/DHL/USPS and infects it before sending it on.
posted by ymgve at 4:57 AM on February 17, 2015 [1 favorite]


How on earth do you pronounce "Brzęczyszczykiewicz"?
posted by cromagnon at 5:08 AM on February 17, 2015


Bzhe-chysh-chy-kiev-ich, where the first ę sounds like a frenchman's chortle.
posted by claudius at 5:15 AM on February 17, 2015 [5 favorites]


"Unregistered"
posted by fullerine at 5:15 AM on February 17, 2015 [1 favorite]


How on earth do you pronounce "Brzęczyszczykiewicz"?

Like this.
posted by ymgve at 5:16 AM on February 17, 2015 [12 favorites]


the group successfully compromised both iOS and OS X devices.

So Linux is still safe?
posted by Obscure Reference at 5:54 AM on February 17, 2015


This is all very suspicious. Saturday in the NYTimes, there was a big report that Kaspersky uncovered the Carbanak APT, and that Kaspersky would release a technical report on Monday. But on Monday, the Kaspersky Securelist Blog pointed to a dead link on their own site, giving a 404 page where the report was supposed to be. The main link on the Kaspersky blog was their report entitled "Equation: the Death Star of the Malware Galaxy." So I checked around, Brian Krebs says he publicly reported about the Anunak APT in December, it's the same as the Carbanak APT, this has all been public knowledge for months. And only this morning (Tuesday) the Kaspersky Carbanak report is live instead of a 404 error page.

To me, this looks like a huge publicity stunt by Kaspersky, to draw attention to their Equation report. But Snowden already leaked parts of Equation, when he published details of NSA hardware and software to subvert computers and telecom systems.
posted by charlie don't surf at 5:56 AM on February 17, 2015 [1 favorite]


To me, this looks like a huge publicity stunt by Kaspersky, to draw attention to their Equation report. But Snowden already leaked parts of Equation, when he published details of NSA hardware and software to subvert computers and telecom systems.

Imagine if malware was the Loch Ness Monster. The Snowden documents were photos of the monster, crystal clear. There was still speculation that it was just a photoshop job, though. (NSA internal marketers upselling features and capabilities they didn't actually have in place yet)

This is Kaspersky telling us that they captured the Loch Ness Monster. But not just that monster, a whole family of Nessies, some which have never been seen before.
posted by ymgve at 6:14 AM on February 17, 2015 [6 favorites]


So Linux is still safe?

lol

i mean, i assume that you're making a joke.
posted by indubitable at 6:19 AM on February 17, 2015


So Linux is still safe?

Not quite sure if this is tongue-in-cheek humor but in case it isn't: the techniques described in the Kaspersky white paper involve getting code to run before the operating system even loads, so no, Linux would not fundamentally provide any special protection to someone who was targeted for an attack.
posted by XMLicious at 6:21 AM on February 17, 2015 [1 favorite]


maxwelton: Maybe the ultimate destiny of "home 3-d printing" is printing your own CPU from open-source specs?

But what if your 3D printer is already infected? This is an issue that has been thought about and discussed for quite a while.
posted by fader at 6:28 AM on February 17, 2015 [5 favorites]


For an entertaining story that has warfare via virus-infected 3D printers ("assembler gates") as a central theme see the 2006 science fiction novel Glasshouse by MeFi's own cstross.
posted by XMLicious at 6:39 AM on February 17, 2015 [2 favorites]


Expect to see considerable interest in vintage computers that are just too simple-minded to contain complex malware. I know people have built fake chips that look like 74-series logic parts but contain microcontrollers, but doing that undetectably and getting them into place undetectably... if I went out and bought a CP/M box on ebay, I'd be pretty comfortable that the NSA or Mystery Science Theatre 3000 or whoever couldn't touch it, especially if I had a pool of spare parts to swap in. Lots of that vintage of computer don't contain any custom chips except PROMS you can swap out for UVEPROMS. (Which doesn't magically make anything I did on it secure - Tempest et al, or just bugging my room! - but it does shut down one channel.)
posted by Devonian at 7:39 AM on February 17, 2015


Until something like Intel Boot Guard is in widespread use, firmware malware is very scary. Last year I developed a proof-of-concept that could virally install itself in the boot ROM of Macs and it is pretty shocking a) how much power the boot ROM has over the system and b) how little security there is once you have code in the firmware.

The tl;dr of my presentation is that, for a certain threat model, your hardware is totally suspect if you've ever let it out of your sight or ever plugged in any device that might have come into contact with a machine that had been infected. Additionally, since the boot ROM controls the system from the very first instruction the CPU executes, you can't even be sure that you can ever detect that there is anything wrong if the malware is sufficiently stealthy.

Pushing this sort of malware into the SATA controllers is pretty neat. It doesn't even require a nation-state level of effort. It is possible for an individual using open source tools and a few months of effort to install custom code into a harddrive firmware, for example.
posted by autopilot at 7:47 AM on February 17, 2015 [21 favorites]


> "Expect to see considerable interest in vintage computers that are just too simple-minded to contain complex malware."

Time to get the Galactica out of dry-dock.
posted by kyrademon at 7:51 AM on February 17, 2015 [9 favorites]


If you work in Infosec, the NSA is actually making your job much more difficult.
posted by tommasz at 7:55 AM on February 17, 2015


Joe in Australia: "At some earlier date (e.g., during shipping, or via espionage) learn the $OBJECT_ID of a particular file or filesystem on the target machine."

It's the old "Physical access is root access" taken to an extreme. When you've got a governmental sized budget and influence over companies, things that seem incredible are quite possible.

We used to think about targeted operations against a single target, but somewhere along the way, the NSA really got a feel for their power and someone raised a hand in a meeting and said "Err.. why don't we just lean on Fedex and UPS and tamper/fingerprint *every* server and router delivered by them, that way we can have the keys to everything when we need it".

It's an interesting and scary time-- I'd love to know how we can build effective sandboxes that can guarantee security even when run on hardware that can't be trusted. Is it even possible? Can you build a strong house on a weak foundation?
posted by Static Vagabond at 8:11 AM on February 17, 2015 [1 favorite]


> If you work in Infosec, the NSA is actually making your job much more difficult.

We are well aware of that. To be fair, though, they're nothing compared to the users.
posted by kjs3 at 8:26 AM on February 17, 2015 [3 favorites]


One thing strikes me - all this stuff, no matter how clever, will only be any good when it generates and receives network traffic (Even the USB-key airgap stuff moves across LANs.)

At some point, there will be packets moving around that the infected host doesn't know about. They can be disguised but they can't be hidden - they have an actual existence - so some form of traffic analysis will always find them. It might be hard to do (just try making sense of ntop on a reasonably busy machine), there are obvious techniques to disguise stuiff really well and you have to attend to the security of whatever it is doing the analysis, but I can see interesting potential here that were I in the business, I'd be keen to explore.
posted by Devonian at 8:31 AM on February 17, 2015


I think open firmware is a good option. Maybe one day we will be able to buy a system with a 100% auditable software stack. We're close, anyway.
posted by Poldo at 8:44 AM on February 17, 2015 [3 favorites]


Pope Guilty: The post buries the lead a bit- if you haven't RTFA, you might not know that the Equation Group is either being identified as or as a group associated with the NSA.
At this level of sophistication, since Stuxnet, that's like burying the lead that a new type of nuclear warhead was developed by the US. I'm not really assuming Kmart, ISIS, or Papua New Guinea were even in the running...
posted by IAmBroom at 8:45 AM on February 17, 2015


Tell me if I have this wrong:

Five Eyes and affiliates can spy on your (a) e-mail if anyone you know uses Google or Yahoo or is a member of the human race, (b) all the things called metadata that exist anywhere, (c) cell phone calls through tower spoofers, though you're more likely to have city cops trying to make drug busts listening in on your conversations than anyone else (d) your text messages, IMs, FaceBook messages, Skype conversations, or anything you ever did online unless you're one of five people to have mastered and only ever used encrypted methods of communication, (e) through TAO, if you've managed to attract ire from the wrong folks, they can own your very hardware, (f) oh and they can turn your cameras and microphones on any time they want, (g) and NOW we learn they've infected tens of thousands of computers with an invisible worm, including those of completely innocent academics, so they can go directly into your pr0n folder or embarrassing NaNoWriMo effort and read that shit, too? And hackers who aren't affiliated with a government could decide to use these exploits for lulz or worse?

Please tell me I've got it wrong. I'm wrong, right?
posted by brina at 8:54 AM on February 17, 2015 [1 favorite]


guarantee security even when run on hardware that can't be trusted. Is it even possible?

A trusted process on an untrusted system. There is a famous paper about searching encrypted data, say you have encrypted emails on a remote server, want to search but don't trust the network. Sent an encrypted search term and a magic token and the data is never decrypted but the matching encrypted emails are sent back to you on your 'safe' location.

Can that kind of idea be extended to an essentially encrypted virtual machine running on an untrusted host? Seems conceivable.

Now once we get that working, how can we trust the implementation? Now one person or one team is building every component including the compilers and tools used to build the system.
posted by sammyo at 9:00 AM on February 17, 2015


brina: "Please tell me I've got it wrong. I'm wrong, right?"

Sounds right to me— though you forgot to mention that the head of this orwellian masterpiece is also so crap at info security that they still have no idea what Snowden copied off their systems.
posted by Static Vagabond at 9:00 AM on February 17, 2015 [8 favorites]


Please tell me I've got it wrong. I'm wrong, right?

I'd tell you to undress only in the dark but, hey, infrared and various ways of, oh say, tomography that can essentially be xray vision. That's very tinfoil hat theory, but hey too, the foil just helps focus the arrays. :-)
posted by sammyo at 9:08 AM on February 17, 2015 [1 favorite]


It cannot be that difficult to simply compromise the chip factories themselves and bake your malware into the machine.

If the NSA is to believed, then this is, in fact, what the Chinese military has been doing with Huawei's networking hardware. If what the NSA says can be trusted. It could just as easily be protectionism to benefit American investors, or some other motive.
posted by a lungful of dragon at 9:16 AM on February 17, 2015


One of the reveals is that there's a class of malware that can write itself to the firmware inside a hard disk drive. And no form of erasing that drive can remove it, and it's undetectable to any virus scanner.

It's really a RTFA story all around. Kaspersky is probably a front for (or closely tied to) the FSB, in which case this is a unusual volley of publicity between security services.

Ars has a another article than the one linked above -- How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last.
posted by Catblack at 9:30 AM on February 17, 2015


Ars has a another article than the one linked above -- How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last.

That's in the first link of the post.
posted by Ickster at 9:43 AM on February 17, 2015 [1 favorite]


At this level of sophistication, since Stuxnet, that's like burying the lead that a new type of nuclear warhead was developed by the US. I'm not really assuming Kmart, ISIS, or Papua New Guinea were even in the running...

one of the founding myths of the internet is that lone "hackers" will always be more sophisticated than corporate/government employees: see, like, any cyberpunk book or movie.

it was always a fantasy, but now it's obvious.
posted by ennui.bz at 9:46 AM on February 17, 2015 [4 favorites]


Lets sneak out while the eyes are downcast...
posted by infini at 9:49 AM on February 17, 2015


If what the NSA says can be trusted.

They're an arm of the US military. Lying to you is a moral imperative to them.
posted by fivebells at 10:17 AM on February 17, 2015 [1 favorite]


Maxwelton, the fact that so many disk drives can be undetectably compromised in such similar ways demonstrates that either (a) the manufacturers are quite incompetent; (b) they're riddled with moles; or (c) the author of these exploits came to an understanding with them.

this doesnt actually necessarily have to be the case. one of the recent leaks (buried in one of the pdf's put out in spiegel's report on nsa malware last month, i don't recall exactly which) showed that nsa offered custom hdd firmware as a project for interns, and as someone linked above, a proof of concept has already been developed by a hobbyist; the fact that they have such extended reach across manufacturers mostly suggests that they have a lot of resources to throw at it
posted by p3on at 10:35 AM on February 17, 2015


Each one of these revelations seems to me like a nudge closer towards the precipice of wrecking the digital economy. When you admit exploits as fundamental and sophisticated as this, it moves a lot of approaches which previously might have been dismissed as being too difficult or expensive out of the realm of fantasy and into the realm of "hm, maybe there actually is some random firmware buried in my CPU dumping copies of every keypair I generate into a hidden memory buffer." These practices are like the Chrome Dome of infosec in their wanton disregard for the low return on a risky investment.
posted by feloniousmonk at 10:37 AM on February 17, 2015 [2 favorites]


Catblack: It's really a RTFA story all around. Kaspersky is probably a front for (or closely tied to) the FSB, in which case this is a unusual volley of publicity between security services.
The FSB is basically Russia's NSA, in case that wasn't clear. And I find myself rejoicing, amazingly, that one of the top anti-malware/infosec firms in the world is basically a front for them. It's distinctly in Russia's political interests to expose US (and by extension, Israel) cyber espionage.
Static Vagabond: Sounds right to me— though you forgot to mention that the head of this orwellian masterpiece is also so crap at info security that they still have no idea what Snowden copied off their systems.
To be fair - this is a bit like asking a bank to list the serial numbers of the (used) dollars that were stolen. It's not like he submitted a request form that can be tracked; he copied data from folders onto memory devices.
posted by IAmBroom at 10:38 AM on February 17, 2015


I read Kaspersky's Q&A thoroughly and want to temper my outrage at the recklesslessness of the NSA sabotaging computers. Specifically, what Kaspersky has found is that only a few hundred computers have been targeted by this malware. And the majority of those are in Iran, Russia, Pakistan, Afghanistan, India, China, Syria, and Mali. That's actually a pretty precise attack. Kaspersky's paper speculates that may be that NSA was trying to keep this weapon quiet so that it wasn't quickly discovered. But it also seems somewhat responsible; from the initial second hand reports I was imagining a much more widespread attack.

Stuxnet was also highly targeted to specific victim machines. And NSA's compromise of Dual_EC_DRBG appears to be keyed, so that only they could break the algorithm. I still have severe problems with NSA carrying out these kinds of attacks, but at least these three seem competently executed, targeted, and with efforts to minimize collateral damage.

NSA is still responsible for a lot of other more broadly dangerous stuff though, like breaking into Google's datacenter links and stealing email. Or recording vast swaths of Internet traffic. That kind of broader surveillance is dangerous both technically and to democracy.

The hard drive firmware medium is a clever place for attack. We should assume that BIOS and microcode have also been similarly compromised. We've known in theory that would be possible for a long time, just as we knew with hard drive firmware.

The craziest thing is that some dork at NSA forgot to renew some DNS records. Kaspersky has registered some of them (ad-servicestats.net, for instance) and is monitoring the traffic. That seems breathtakingly irresponsible.
posted by Nelson at 10:39 AM on February 17, 2015 [4 favorites]


At some point, there will be packets moving around that the infected host doesn't know about. They can be disguised but they can't be hidden - they have an actual existence - so some form of traffic analysis will always find them. It might be hard to do (just try making sense of ntop on a reasonably busy machine), there are obvious techniques to disguise stuiff really well and you have to attend to the security of whatever it is doing the analysis, but I can see interesting potential here that were I in the business, I'd be keen to explore.
nsa's data exfiltration is extremely sophisticated -- from what we know about it, they developed an entire proprietary encrypted streaming protocol called FASHIONCLEFT(pdf). the information we have about this is already nearly six years old, so one might imagine it's become even more sophisticated in the mean time
posted by p3on at 10:41 AM on February 17, 2015


maxwelton: It cannot be that difficult to simply compromise the chip factories themselves and bake your malware into the machine.
Not every businessman is American, or even remotely American-friendly. As a lungful of dragon points out, this is happening, but not always by the "right" people (from the POV of NSA, or whomever is trying to infiltrate said computer).
posted by IAmBroom at 10:43 AM on February 17, 2015


Nelson: Stuxnet was also highly targeted to specific victim machines.
So... the attacks on Iran's nuclear centrifuges won't endanger my home X10 security system? But I thought the NSA was after me!
The craziest thing is that some dork at NSA forgot to renew some DNS records. Kaspersky has registered some of them (ad-servicestats.net, for instance) and is monitoring the traffic.
And Kaspersky has catapulted from Hero status to Superhero.
posted by IAmBroom at 10:45 AM on February 17, 2015


It cannot be that difficult to simply compromise the chip factories themselves and bake your malware into the machine. 

mmm...cookies. :9
posted by sexyrobot at 11:05 AM on February 17, 2015 [1 favorite]


NSA used to be charged with making computers more secure.
That's not quite true. They are tasked with making sure the network infrastructure is secure, and that the ability of the government to utilize that infrastructure is not compromised. The best way to ensure that it is not compromised is to "own" the system.

It's kinda like the non-sense phrase, "please excuse me, for I am the ocean." If you think about it right, no one can fight the ocean. They can fight the fish and the creatures that live in the ocean, but the ocean itself is a medium. If you own the medium (or control, or whatever) you are impervious to attack, and have a massive structural advantage over any adversary.

And as far as the firmware hacks and other fun little games with pre-OS hardware control:
This is simply an extension of hypervisor theory. How does VMWare emulate hardware? In software. How does it know how to do that? The hardware is essentially abstracted by a layer of software that controls and mediates the interaction of the OS and the virtual or physical hardware.

It was kind of inevitable that this would be done, as more and more abstraction layers are added to mediate being able to control larger and larger (and by extension, faster and faster) controls and access. You don't have to be a genius to figure this out, just aware of what is going on in that intermediate zone of translation. The "funny" part is that the problem is due to manufacturers needing read/write capable firmware, instead of read only. If you had your firmware, as in the olden days, hardcoded into the physical chipset as a ROM, this problem would be insurmountable without removing and soldering on a new ROM chip. But that's not where manufacturing went. To allow for "corrections" or an upgrade path, manufacturing put in flashable firmware, which lowered the cost but also created the avenue for this exploit.

Though, I think it's the FASHIONCLEFT thing that interests me the most. The PDF linked won't load for me, but if I remember what I read yesterday about this, it is essentially an obfuscated packet that sits in the Layer 2 level of the networking protocol, and is distinct and separate from TCP/UDP traffic (or hides somewhere in there). This part is the really spooky spook stuff. It's a networking protocol that is outside of most other IEEE standards, and only readable if you have the right software to pick it up. That's the part where when people talk about a "darknet", this is the real "darknet". A networking protocol that runs on the same medium as everything else, but is undetectable and untraceable. It makes TOR look like a fucking joke.
posted by daq at 11:08 AM on February 17, 2015 [5 favorites]


> I know people have built fake chips that look like 74-series logic parts but contain microcontrollers, but doing that undetectably and getting them into place undetectably.

Kinda like these guys?
posted by benito.strauss at 11:17 AM on February 17, 2015


it is essentially an obfuscated packet that sits in the Layer 2 level of the networking protocol, and is distinct and separate from TCP/UDP traffic

On the other hand, if it's not TCP/UDP or any of the known layer 3 protocols, it should throw up red flags at every IDS along the way. Not to mention blocked at any firewall worth a damn.

The most hidden way to exfiltrate data if you are NSA would probably be to use something that looks like SSL, and send the traffic to a host that the machine is expected to communicate with (Like Windows Update), but intercept the traffic along the way to Microsoft.
posted by ymgve at 11:19 AM on February 17, 2015 [2 favorites]


"ask not what your country can do for you...
ask what your country can do to you." Anon.
posted by eggtooth at 11:29 AM on February 17, 2015 [1 favorite]


IAmBroom: "To be fair - this is a bit like asking a bank to list the serial numbers of the (used) dollars that were stolen. It's not like he submitted a request form that can be tracked; he copied data from folders onto memory devices"

No, it's more like asking the bank "Who recently accessed the balances of these accounts". file-systems are an abstraction, they can be easily audited-- if you're dealing with classified documents they should be audited to the absolute hilt and any other method of accessing them should be blocked by a number of procedures and protocols equal to your level of paranoia.

I can see a log of every file that's created, modified, deleted or read by anyone in my workplace, and I'm at the embryonic level of security compared to the big companies. The difference is that I could, by a number of means (getting physical access, deleting logs, using backups etc) get anonymous access myself. That could easily be engineered to not happen if my workplace decided they couldn't deal with that level of trust in one person.

That the NSA couldn't work out such a system is crazy (but very lucky and enlightening for the rest of us).
posted by Static Vagabond at 11:43 AM on February 17, 2015 [1 favorite]


ymgve,
That's the thing, though. If it is operating on the Data Link Layer, you IDS is going to ignore them as part of the error correction that is constantly going on, in the form of parity bits or some other modification to the frame error checking protocol. Your IDS will assume this is just standard error checking, not hidden messages hitching a ride on your normal network traffic.

Heck, even the Wiki page I linked has an example of a way of sending a message through the the frame error detection parity bit. And that example is sending a plaintext message, which would be the least likely thing that they are using. And that's just a simple example of how to use Layer 2 as a medium for encoding messages. I'm pretty sure whoever created FASHIONCLEFT is doing a whole lot more with that, possibly even using methods to encrypt or obfuscate the messages. And the part that's interesting is that all this requires is a modified TCP stack on the infected machine to inject this in to the frame and it is being passed to the network. And if you combine this with the methods describing how they know enough about EE to load into the firmware of the system before the OS, you could be sending information through your ethernet controller with no modification to your OS. It just adds the hidden data into the frame as the controller sends things out on the network.

And that's just speculating on known methods.

If you want to get super fancy, you have your data hidden in purposeful bad frame meta-data, creating a secondary pattern of network traffic where the message is encoded into the errors. Yes, it's slower and less direct, but then you are already sniffing the packets coming in and out of a firewalled system, and just read pattern of resends on the frame relay outside of the network. By having the infected system create a pattern of purposeful errors, you create a new data set based upon the error correction traffic (which means you own an upstream router somewhere that will store the error pattern in a log). Once again, IDS is not going to care about Layer 2 error correction as it is something that is expected to happen, unless it is specifically looking for any number of possible methods of creating secondary patterns.

This is why I mention the "ocean" metaphor. If your communications are actually part of the medium that all other traffic is transported through, you have no way of knowing whether it is an intentional pattern of errors or just the regular error checking and correction that is baked into the system.

And that doesn't even get into the whole other crazy network intercept method of spoofing data simply by measuring the voltage differentials on the physical wire itself. Again, it's a physical layer hack, but all it requires is using a magnetic field and calibrated sensor around any trunk connection. At that point, all you are measuring the the voltage change patterns, but those can be recombined into full datagrams because of the nature of how the physical link layer operates.
Here is a PDF from 2002 about how to intercept network traffic using the LED status lights on a network switch to figure out what is being sent over those connections. And that was done from 5 meters away from the device, not even having to physically touch it (mind you, this was a 9600 bits/sec, which is way slower than most modern networking hardware).
posted by daq at 12:09 PM on February 17, 2015 [7 favorites]


since the boot ROM controls the system from the very first instruction the CPU executes, you can't even be sure that you can ever detect that there is anything wrong if the malware is sufficiently stealthy

JTAG knows all. It's a backdoor/testing mode baked into pretty much every chip complex enough to have firmware or other persistent storage. Chip makers use it for debugging during hardware development and for low-level testing during manufacture. It's build into the chip at an electrical level so it can't be compromised after the fact. It can read and write any place malware might try to hide, and malware will not be able to block it.

The problem is that the JTAG specs for something like a motherboard or hard drive are extremely complex and extremely secret. It's not feasible to do much with it unless you have the design files for the chip in question.
posted by ryanrs at 12:12 PM on February 17, 2015


Imagine if malware was the Loch Ness Monster. The Snowden documents were photos of the monster, crystal clear. There was still speculation that it was just a photoshop job, though. (NSA internal marketers upselling features and capabilities they didn't actually have in place yet)

This is Kaspersky telling us that they captured the Loch Ness Monster.


I don't like this analogy, not only because the Loch Ness Monster doesn't exist.

I will compare this to someone back in 2013 releasing spy photos of a new Mustang GT on the Ford test track, and then it turns out that's the 2015 Mustang GT. After the Snowden leaks, this news was inevitable, the technical details were left as an exercise for the reader.

This firmware malware is starting to remind me of Hofstadter's essay Contracrostipunctus, wherein Crab buys a perfect record player that can reproduce all sounds with perfect fidelity, and Tortoise creates a record called "I Cannot be Played on Record Player 1" which is designed to play the exact resonant frequencies that vibrates it to bits, demonstrating it was not a perfect record player because it could not reproduce every possible sound. After some measures and countermeasures, Crab builds Record Player Omega, that optically scans records before playing them, looking for destructive tones, and reconstructs itself so it is immune to that tone, thus proving it is not a perfect record player since it clearly identifies the sound it cannot reproduce.

A formal proof of the impossibility of preventing malware on a General Purpose Computer, as an instance of the Entscheidungsproblem, is left as an exercise for the reader.
posted by charlie don't surf at 12:51 PM on February 17, 2015 [9 favorites]


Static Vagabond: No, it's more like asking the bank "Who recently accessed the balances of these accounts". file-systems are an abstraction, they can be easily audited-- if you're dealing with classified documents they should be audited to the absolute hilt and any other method of accessing them should be blocked by a number of procedures and protocols equal to your level of paranoia.
OK, fair point. I was imagining accessing files locally, but obviously he's downloading/accessing files over networks - and there is (or can be) logs of all such requests. Scratch that - I can't imagine an IT department overseeing classified data that doesn't carefully gatekeep and log such requests. Either they are easily spoofed, or the data retention is ridiculously short. Or, of course, they know exactly what he accessed, and aren't admitting it.
posted by IAmBroom at 1:43 PM on February 17, 2015


And may I say that this entire thread has been as interesting and informative as the Kaspersky news release to me. Thanks all!
posted by IAmBroom at 1:49 PM on February 17, 2015 [4 favorites]


I really recommend that everyone read the link Autopilot provided above: Hard disk hacking - Software flashing

The author is obviously very bright, but he's just working with home-level resources. None the less, he was able to flash a HDD on-board controller with code that rewrites data on-the-fly. Here's one of the examples he gives:
With the firmware hack in place, however, the attacker could tell the hard disk to do something nefarious with the new install. He'd need to trigger that behaviour first, though, and that could be done by writing a certain magic string the firmware hack would look for to the disk. The magic string can be in any file; the attacker could for example upload a .jpeg-file with the string in it to the server. He could also request a file from the webserver with the magic string appended to the URL. That would eventually end up in the logs of the machines, triggering the exploit.

The hard disk firmware hack would then do something nefarious. For example, it could wait for the machine to read out the file /etc/shadow, where all the passwords are stored on an Unix/Linux system, and modify the contents on-the-fly to something the attacker hardcoded earlier. When the attacker would then try to log into the system with his own password, the machine would check this password against the now-modified /etc/shadow and the attacker would be free to login again.
Get that? Your HDD may be compromised by an exploit that can be triggered by an arbitrary known string. That string can be written to the HDD without your knowledge at any time, just by sticking it inside an innocuous-seeming file that gets cached by your web browser or OS. The exploited HDD can then do anything that can be achieved by manipulating data - it can give root access to an attacker, or corrupt data, or reveal your secrets. It could, for instance, change your IP address table so that all your Internet traffic goes via the NSA. And if the attacker signs the trigger string then you have an exploit that can be triggered by a string sent globally (e.g., hidden inside Google's logo) but which will only affect one single hard drive in the world: yours.

Basically, all your base are belong to them.
posted by Joe in Australia at 2:44 PM on February 17, 2015 [12 favorites]


The fashioncleft doc is very interesting - thanks for that. It seems to me that the relevant bit for this discussion is effectively steganography imposed on low-level traffic/transmission management. where you're modulating signals into the 'noise' of the unreliability of IP.

There are two focuses for those who are keen to guard against this sort of thing. The first is detecting that it's happening, which is a pretty good thing to know: you don't need to know what information is being transferred (you own whatever it is anyway) and you don't need to know where it's going (you can assume the worst), as your main task isn't to bring a court case or mobilise troops, it's to close the thing down. Spotting steg is hard if the tools that generate the information or manage its transfer are compromised, because you can't do a diff between a transmitted copy and a known good original. You can do traffic analysis, where you attempt to spot a signal through variance from your statistical model of the channel noise, and here you do have various potential approaches - change your source material a lot, and see if the signal increases - although the standard TA defences of filling the channel with garbage when you have no signal works against you. However, if the channel is generally quiescent (as you'd expect link layer or physical layer error signals to be), this imposes quite hard utility limits on exfilation. You can't fill a channel with noise if that channel is not in general noisy.

If you can model an unhacked system well enough, you will be able to spot a hacked system.

The other thing you can do is tinfoilhattery. Fuzz the errors, through an out-board stand-alone system. Intentionally degrading channels to thwart a hidden attacker is respectable if paranoid,

All this is a great deal of fun. Were I thirty years younger, I'd be pulling the wings off this fly with relish.
posted by Devonian at 6:22 PM on February 17, 2015 [3 favorites]


Somewhere in the Middle East, there is a computer we are calling the “The Magnet of Threats” because in addition to Regin [UK/US], it was also infected by Turla [Russia], ItaDuke [?], Animal Farm [?] and Careto/Mask [Spain]. When we tried to analyze the Regin infection on this computer, we identified another module which did not appear to be part of the Regin infection, nor any of the other APTs. Further investigation into this module led us to the discovery of the EQUATIONDRUG platform [US?].

I wonder whose computer this was and if any of these groups realized the others were active on it.
posted by cosmic.osmo at 7:08 PM on February 17, 2015


ItaDuke [?]
if it's previously been spotted targeting uyghur and tibetan activists, i think china is a relatively safe assumption
posted by p3on at 9:00 PM on February 17, 2015 [1 favorite]


Anyone notice that Kaspersky Lab’s refused to name the NSA themselves or cite the NSA ANT catalog released by Der Spiegel. Any idea why?

Just some "professionalism" point about not "speculating" despite the NSA being the obvious culprit? Any chance Russia asked them not to while Snowden has asylum there?

Also, Kaspersky involved only publications like ArsTechnica not revealing Snowden material, as opposed to The Intercept, Der Spiegel, etc.

We discussed the ANT catalog in the thread about ioerror's 30c3 talk which announced it's publication, btw.
posted by jeffburdges at 4:36 AM on February 18, 2015




We need ju-jitsu.
posted by infini at 10:33 AM on February 18, 2015


So Linux is still safe?

Well normal Linux might be unsafe, but Security Enhanced Linux should be fine.
Unfortunately, existing mainstream operating systems lack the critical security feature required for enforcing separation: mandatory access control. As a consequence, application security mechanisms are vulnerable to tampering and bypass, and malicious or flawed applications can easily cause failures in system security

The results of several previous research projects in this area have yielded a strong, flexible mandatory access control architecture called Flask. A reference implementation of this architecture was first integrated into a security-enhanced Linux® prototype system in order to demonstrate the value of flexible mandatory access controls and how such controls could be added to an operating system. The architecture has been subsequently mainstreamed into Linux and ported to several other systems, including the Solaris™ operating system, the FreeBSD® operating system, and the Darwin kernel, spawning a wide range of related work.
So, Security Enhanced Linux! Helpfully developed by the experts at the NSA. So you can rest easy.

To be fair, there is no reason to suspect that the NSA have put back-door access into the SELinux implementation other than common sense.
posted by asok at 3:19 AM on February 19, 2015 [1 favorite]


Oh boy. This is worse than Sony!

Lenovo: 'Yes, we shipped PCs with malware pre-installed that compromises your security'
and
Lenovo taken to task over 'malicious' adware

A more accurate headline would be "Lenovo is your Man in the Middle": the systems were pre-compromised so that all network data could be analysed and targeted advertisements could be inserted into web pages and popups. Silly Lenovo! If they had just put that as a condition in a click-through license ...
posted by Joe in Australia at 1:07 PM on February 19, 2015


Silly Lenovo! If they had just put that as a condition in a click-through license ...

I don't know if you're joking, but the article says they did.

Lenovo claims that users have the option of rejecting Superfish at start-up: "When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled."

The article says Superfish has been shipping on Lenovo laptops "for some time," and how long has this been going on? Lenovo says:

Superfish was previously included on some consumer notebook products shipped in a short window between September and December.. Lenovo stopped preloading the software in January.

What? They shipped it in September through December, or maybe January. Maybe there are more details on the detailed information link. The text on this page is almost identical, word for word. Almost.

Superfish was previously included on some consumer notebook products shipped between September 2014 and February 2015..

Right, it ended in December, or January, or maybe February.

Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.

No, it most definitely does NOT disable Superfish. It merely shut down the command and control server. Did anyone track down where the packets were going? Maybe Lenovo HQ in Beijing? And what if someone figured out how to activate Superfish, without the C&C server? Oh, they already did.

Update: Rob Graham, CEO of security firm Errata Security, has cracked the cryptographic key encrypting the Superfish certificate. That means anyone can now use the private key to launch man-in-the-middle HTTPS attacks that won't be detected by machines that have the certificate installed. It took Graham just three hours to figure out that the password was "komodia" (minus the quotes).
posted by charlie don't surf at 4:05 PM on February 19, 2015 [1 favorite]


I missed the license bit. Well, they covered themselves. Nothing anyone can do now.
posted by Joe in Australia at 5:33 PM on February 19, 2015


I'd like to read the license agreement. I am sure it avoided saying anything truthful like "By clicking AGREE you are consenting to have all your network traffic intercepted by our spy center in Beijing."

The thing that intrigues me is that Lenovo admitted that "user feedback was not positive." User complaints usually surface in more detail after something like this comes to light, but so far there was not much, just that one reddit thread.

BTW has anyone posted today's disclosure?

The Great SIM Heist - How Spies Stole the Keys to the Encryption Castle

and

SIM card makers hacked by NSA and GCHQ leaving cell networks wide open
New Snowden docs show that in 2010, SIM makers lost control of their encryption keys.

posted by charlie don't surf at 6:57 PM on February 19, 2015


There's now a thread on Lenovo and someone posted a link to that, yes. It's ... I don't know, what's the word for the ASCII drawing of someone flipping over a table? Basically, what is the point any more? We might as well write our passwords on our foreheads and be done with it.
posted by Joe in Australia at 7:10 PM on February 19, 2015 [3 favorites]


I just actually said "We might as well just walk around naked" but the sentiment is the same, Joe in Australia.
posted by infini at 2:28 AM on February 20, 2015


Schneier on Security: The Equation Group's Sophisticated Hacking and Exploitation Tools - "We have a serious computer security problem. Everything depends on everything else, and security vulnerabilities in anything affects the security of everything. We simply don't have the ability to maintain security in a world where we can't trust the hardware and software we use."
posted by the man of twists and turns at 11:40 AM on February 21, 2015 [3 favorites]








We need undetectable firmware backup, versioning, comparison, etc. tools that detect changes to better expose such attacks.
posted by jeffburdges at 6:16 AM on February 23, 2015


Just came across this post in a Linux kernel newsgroup, pertinent to the disk drive shenanigans seen in the Equation Group malware:
The last PC hard disks that were defined to do what you told them where ST-506 MFM and RLL devices. IDE disks are basically 'disk emulators', SSDs vastly more so.

An IDE disk can do what it likes with your I/O so long as your requests and returns are what the standard expects. So for example if you zero a sector its perfectly entitled to set a bit in a master index of zeroed sectors. You can't tell the difference and externally it looks like an ST506 disc with extensions. Even simple devices may well move blocks around to deal with bad blocks, or high usage spots to avoid having to keep rewriting the tracks either side.

An SSD internally has minimal relationship to a disc. If you have the tools to write a file, write over it, discard it and then dump the flash chips you'll probably find it's still there.

If you plug a Raspberry Pi into a modern large hard disk, the chances are the smarter end of the cable is the disk.
posted by XMLicious at 12:23 PM on February 28, 2015 [4 favorites]


Whoa. Excellent, excellent point. And, by implication, writing zeroes to a disk is meaningless: a smart HD knows what zeroes are and it can easily just set a flag that says "serve a bunch of zeroes when you get asked for these sectors". In fact, the only way to truly erase a disk would be by writing "random" data to it until the disk is full, and then reading all that data back to ensure that it was written - after physically confirming the size of the HD so you know you're not just reading a copy of your data.
The erasing procedures that tell you to write zeroes followed by ones followed by alternating patterns and so forth? They are lies, designed to give you a false sense of security. If you have been targeted your data is still on the HD, and you're being served an algorithmically-produced replica of the data pattern you laid down.
posted by Joe in Australia at 4:49 PM on February 28, 2015


And everything that shows up as empty regions of the drive could in reality be full of a 2nd, 3rd, 𝑛th operating system running simultaneously to your own and doing whatever it wants. Maybe we're all collectively hosting encrypted cloud storage for the stuff the NSA doesn't trust to keep on its own systems.
posted by XMLicious at 6:23 PM on February 28, 2015


New smoking gun further ties NSA to omnipotent “Equation Group” hackers
The strongest new tie to the NSA was the string "BACKSNARF_AB25" discovered only a few days ago embedded in a newly found sample of the Equation Group espionage platform dubbed "EquationDrug." "BACKSNARF," according to page 19 of this undated NSA presentation, was the name of a project tied to the NSA's Tailored Access Operations.
posted by XMLicious at 6:17 AM on March 12, 2015 [1 favorite]


The strongest new tie
posted by infini at 9:54 AM on March 12, 2015


« Older 17 Astonishing Places You Wouldn’t Believe Are In...   |   And knew not until the flood came, and took them... Newer »


This thread has been archived and is closed to new comments